Will Quantum Cryptography ever become a successful technology in the marketplace? 



Hoi-Kwong Lo 
MagiQ Technologies Inc. 
275 Seventh Avenue 

26th Floor 
New York, NY 10001 
(February 1, 2008) 

We assess the potential of quantum cryptography as a technology. We highlight the fact that 
academia and real world have rather different perspectives and interests. Then, we describe the 
various real life forces (different types of users, vendors of crypto-systems, conventional cryptogra- 
phers, governments) behind the decision of the adoption (or rejection) of quantum cryptography and 
their different interests. Various roadblocks to the widespread application of quantum cryptography 
are discussed. Those roadblocks can be fundamental, technological, psychological, commercial or 
political and many of them have nothing to do with the security of quantum key distribution. We 
argue that the future success of quantum cryptography as a technology in the marketplace lies in 
our ability to appreciate and to overcome those roadblocks and to answer real world criticisms on 
the subject. 
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I. INTRODUCTION 

In this quantum cryptography workshop^] we have 
heard many interesting talks. From an academic point 
of view, it is quite clear that quantum cryptography is 
a very active research area. Now, from the technological 
point of view, it is natural to ask about the potential of 
quantum cryptography as a technology. In other words, 
will quantum cryptography ever be widely used in future? 

Given the immense progress in both the theoretical 
and experimental sides in the last few years, some of us 
in the audience may be tempted to say 'yes'. However, 
ultimately the answer to this question does not depend 
on the subjective opinions of research scientists, but on 
the complex social and economic forces behind it as well 
as future advancements in the quantum technology. 

On the question of whether quantum cryptography will 
ever be widely used in future, I certainly do not claim 
to have a full answer. In this talk, I will simply share 
with you some of my thoughts on the subject. None 
of the viewpoints expressed here are original. Nor are 
they sophisticated. They are just my personal simplifi- 
cations and understandings/misunderstandings of what 
is well known to people in other walks of life. However, 
those viewpoints may not be commonly known to quan- 
tum cryptographers. Being an industrial researcher with 
a non-negligible amount of experience in research and 
development of real-life conventional security systems, I 
find it of value to introduce these viewpoints to other 
quantum cryptographers. My hope is to stimulate fur- 
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ther discussions on the subject. Your comments, correc- 
tions and criticisms will be welcome. 

II. ACADEMIA VS REAL WORLD 
A. Technology focussed vs solution focussed 

Let me begin by saying that the academic world 
and the real world have very different perspectives. In 
academia, we often deal with curiosity driven research. 
Even in quantum technology, our main focus is technol- 
ogy. That is to say the technological aspects of a subject. 
For instance, in this workshop many talks deal with the 
fundamental and technical issues of the security of quan- 
tum cryptographic systems. Important as they are, those 
subjects are so esoteric that they are quite beyond the 
understanding of even the most sophisticated developers 
and customers of conventional cryptography. More im- 
portantly, those subjects do not necessarily address their 
real world concerns. 

In the real world, customers (users of cryptography) 
generally have problems and they look for solutions, not 
technology. It does not matter whether it is high-tech 
or low-tech, so long as it can solve their problem, they 
will take it. For instance, putting an eraser on top of 
a pencil is a trivial idea from the technological point of 
view. From the users' point of view, this can be regarded 
as a major invention that offers convenience and added 
value to the individual eraser and the pencil. As another 
example, nuclear power generators may be a high-tech 
solution. But, it must compete with low-tech alternatives 
like oil and coal in a competitive commodity market — 
electricity generation. 

Clearly, customer acceptance is very important to the 
success of a technology in the marketplace. Beside cus- 
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tomers, there are many other players in the develop- 
ment/adoption of new technologies. Different players 
have different interests and concerns, some of which may 
be regarded as irrational by outsiders. Whether we like 
it or not, the only way to assure that a technology is 
adopted is to better understand the diverse interests and 
concerns of different players in the field. 

B. Players in the Quantum Game 

Let me introduce the interested parties in the develop- 
ment/adoption of cryptographic/security systems one by 
one and describe their main concerns. 

1. Academia 

(A) Quantum Cryptographers Type I (Particu- 
larly Theorists): The main interest of theoreticians in 
quantum cryptography is to design cryptographic proto- 
cols with perfect security [Q . 

(B) Quantum Cryptographers Type II (Partic- 
ularly Experimentalists): The main interest of ex- 
perimental quantum cryptographers is to design and im- 
plement quantum cryptographic schemes that are feasi- 
ble with current (or near future) technology and secure 
against realistic attacks [0. 

(C) Conventional Cryptographers? Some people 
may argue that many conventional cryptographers live in 
the same academic world as quantum cryptographers. I 
have no comment on this argument. 

2. Real World 

(A) Users Type 1 (individuals): The main interest 
of individual customers in using cryptographic/security 
product is often the peace of mind. If the users voluntar- 
ily use the product, this peace of mind may be due to the 
preceived security offered by the product. If the users are 
forced to use the products by others, the peace of mind 
may arise because they make their employers happy. 

Cost and transparency are two other major concerns 
of the individual customer. Someone working on infor- 
mation security once told me that the general feeling in 
the community is that security does not sell, (i.e., While 
customers worry about security, they are unwilling to pay 
for a higher-price product for the sole reason of its being 
more secure.) The acceptable additional cost of a more 
secure product is essentially zero. People are interested 
in a solution (say a payment scheme) that is offered as 
a complete package: versatility, convenience of use, re- 
liablility, cost and security. "Security" is just a small 
term in the whole equation. Here, I have put security 
in a quotation mark because it is preceived security that 
counts. A layman generally does not understand real se- 
curity. Besides, it appears to me that there is no logical 
consistence in users behaviors when many of them seem 
perfectly happy in giving out their credit card numbers 
over the phone, but not over the Internet. 



Transparency of the operation of encryption is also a 
plus. While a layman can intuitively appreciate the se- 
curity offered by a an encrypted file which looks garbled 
even to the unsophisticated eye, the same cannot be said 
for quantum cryptography. 

(B) Users Type II (businesses): A notable moti- 
vation for many businesses such as the banking industry 
to employ cryptographic products for its customers is 
to limit its financial and legal liability. Businesses gen- 
erally accept a certain degree of financial losses due to 
insecure products as parts of their normal operating cost 
in doing businesses. Therefore, non-perfect security of 
conventional cryptographic systems is not a bad thing, 
but a fact of life. The important things are to have risk 
management and to have risk factors that are well under- 
stood. Employing industrial standards is very useful in 
reducing businesses' financial and legal liability. Employ- 
ing a non-standard disruptive technology like quantum 
cryptography is much more risky. 

Securing long distance communication is an impor- 
tant concern in businesses. As international companies 
are now getting more and more global and tremendous 
amount of data are passed between different offices of 
the same company or different companies, there is an in- 
creasing need in securing those massive transcontinental 
communications. Besides, there is an increasing need for 
post-Cold-War type of applications like authentication 
and signatures. 

(C) Vendors of Crypto Products: Like any other 
businesses, the main concern of vendors of crypto prod- 
ucts is to make money in the long run. Besides, ven- 
dors have vested interests in deciding which technology 
to employ. For instance, a vendor with a large number of 
patents and products in the elliptic curve crypto- systems 
might be tempted to emphasize the strengths of elliptic 
curve crypto products compared to products based on 
other principles. 

(D) Conventional Cryptographers and Security 
Experts: Because of their own background and expe- 
rience, conventional cryptographers and security experts 
are keen to use something that they can understand and 
trust such as the one-way function hypothesis. If you 
ask them whether they believe in quantum mechanics or 
one-way hypothesis more, their answer is clear. 

(E) Governments: Different departments in a gov- 
ernment have different interests. For instance, the mili- 
tary and the foreign office are certainly interested in hav- 
ing perfect security for their communications. On the 
other hand, for agencies such as the FBI, the ability to 
wiretap communications of the criminals is very impor- 
tant. From this point of view, perfect security might 
threaten national security and should be discouraged or 
controlled by laws. I am not up to date with the current 
US regulations. However, until recently, cryptography 
has been regarded as ammunition in the US laws, sub- 
ject to the strictest control in its usage and export. 
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III. ROADBLOCKS 

Having introduced the different players and their inter- 
ests in cryptography, it is the time to discuss the major 
roadblocks to the future deployment of quantum cryp- 
tographic systems. For ease of discussion, I will divide 
those roadblocks into different classes. However, my di- 
vision is somewhat subjective. 

A. Fundamental roadblocks 

Quantum cryptography is a fundamentally limited 
technology. 

(A) Impossibility of unconditional security for 
many applications 

First, it has a limited range of applications. The funda- 
mental appeal of quantum cryptography has been perfect 
or unconditional security (i.e., security guaranteed by the 
laws of quantum mechanics only and without making 
any computational assumptions). However, the uncon- 
ditional security of a number of important basic proto- 
cols such as bit commitment Q , one-out-of-two oblivious 
transfer Q and one-way identification (and more gener- 
ally, one-sided two-party secure computations) H) have 
been shown to be impossible in a series of no-go theo- 
rems. What it means that all such protocols must require 
quantum computational assumptions. 

(B) Lack of public key based quantum crypto- 
graphic schemes 

Second, quantum cryptography has made no signifi- 
cant contribution to public key cryptography. Many real 
life cryptographic applications such as signature and au- 
thentication schemes in the Internet age involve public 
key cryptography. However, very little (if anything) has 
been done on quantum cryptographic signature and au- 
thentication schemes that are public-key based. 

B. Technological roadblocks 

(C) Limited distance in current quantum key 
distribution experiments 

Experimental quantum key distribution has been per- 
formed over tens of kilometers. However, a major mar- 
ket for secure communication is, in fact, transcontinental 
communications. Until the distance achieved in experi- 
mental quantum key distribution increases by two order 
of magnitude, quantum key distribution is not a feasible 
technology for this major market sector. 

(D) Limited data rate 

The current data rate for experimental quantum key 
distribution is of the order kbits for second. (Worse still, 
the post-processing including error correction and pri- 
vacy amplification is quite massive.) In contrast, the 



current world record for a single mode optical fiber com- 
munication is 160 Gbits for second 0. "Multiplying 160 
gigabits over additional wavelengths, we expect to be able 
to scale up to many trillions of bits a second in the fore- 
seeable future." says Alastair Glass, director of Bell Labs 
Photonics Research Labs. If quantum key distribution is 
ever going to be widely used for one-time pad application 
for the massive data being transmitted in commercial op- 
tical fibers, there is probably a ten order of magnitude 
gap in data rate to be closed in the foreseeable future. 

C. Commercial roadblocks 

(E) Equipment size is too big. 

Ideally, cryptographic applications should be done ei- 
ther by a software or a very small hardware component 
such as a smart card or a CD. Unfortunately, current 
quantum cryptographic systems are quite big. Shrinking 
a quantum cryptographic system to the size of a briefcase 
is already a big challenge. Shrinking it to the size of a 
smart card requires much ingenuity and development. 

(F) Cost is too high. 

The acceptable additional cost of a more secure cryp- 
tographic product for individual consumers is essentially 
zero while the components of existing quantum crypto- 
graphic system cost hundreds or even thousands of dol- 
lars. 

(G) Integration with existing infrastructure in 
information technology requires further develop- 
ments. 

Except for niche markets, we cannot expect an opti- 
cal fiber to be solely dedicated to quantum communica- 
tions for any substantial period of time. The integration 
of quantum technology with conventional and existing 
infrastructure in information technology requires much 
further work. 

D. Security roadblocks 

(H) Known loopholes in current implementa- 
tions 

While quantum cryptography claims to offer perfect se- 
curity in theory, in practice current experimental imple- 
mentations contain quite a number of security loopholes. 
It has been argued that essentially none of the existing 
implementations is actually secure [||. Plugging those 
known loopholes is a highly non-trivial experimental and 
theoretical design problem. 

(I) Hidden loopholes in implementations 

All security analyses of quantum cryptographic sys- 
tems involve idealizations. It is highly probably that 
many other fatal security loopholes in the implementa- 
tions of quantum cryptography remain to be discovered. 
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Given the slippery nature of the subject, quantum cryp- 
tography hardly inspires the confidence of potential users. 

The best way to construct a secure cryptographic sys- 
tem is to try hard to break it. Unfortunately until re- 
cently very few people worked on breaking quantum cryp- 
tographic systems. Without an army of people trying to 
break them, the security of quantum cryptographic sys- 
tems are largely untested. 

E. Psychological/ Vested Interest roadblocks 

(J) Conventional cryptographers have no confi- 
dence in quantum mechanics. 

Most conventional cryptographers do not understand 
quantum mechanics. Nor are they familiar with its many 
applications. In any case, the burden of proof of the use- 
fulness of a new technology lies on its own practitioners, 
not conventional cryptographers. In contrast, from their 
point of view, things like the one-way function hypoth- 
esis, the hardness of factoring are well-tested principles 
and something that they understand well. It is wishful 
thinking to ask them to take a leap of faith by abandon- 
ing their well cherished philosophy and taking up a black 
box philosophy for no apparent good reason. 

Moreover, Neal Koblitz remarked in Crypto' 97 (the 
most important international conference in fundamental 
research in cryptography) that many cryptographers hate 
quantum computation because if it flies, it will put many 
of them out of business. Indeed, if a quantum computer 
is ever built, many public key cryptographic schemes that 
are widely used today will be totally unsafe. This could 
potentially kill public key cryptography and throw cryp- 
tography back to the "dark age" — a nightmare sce- 
nario for electronic commerce and data security. [See, 
however, Q| for a discussion of the possibility that public 
key cryptography may actually survive quantum attacks.] 
Since quantum cryptography is a part of quantum infor- 
mation processing, it is only natural that conventional 
cryptographers may not like it neither. 

(K) Vendors of conventional cryptographic 
products have vested interests in promoting and 
preserving conventional technologies. 

If this is what conventional cryptographers might think 
as individual researchers, you can imagine what existing 
crypto-system vendors might think about quantum cryp- 
tography: Quantum cryptography is far more likely to be 
seen as an unwelcome threat rather than a potential op- 
portunity. 

In the history of technological developments, disrup- 
tive technologies are often made possible by new firms 
rather than existing firms that have large stakes in the 
dominant existing technology. 



F. Political/Legal roadblocks 

(L) Quantum cryptography may be limited by 
governmental crypto control policies. 

As mentioned earlier, in the US, usage/export of strong 
cryptography is subject to stringent governmental con- 
trol. Any future usage/export of quantum cryptographic 
systems will be subject to the same stringent set of regu- 
lations. How to reconcile the main selling point of quan- 
tum cryptography (strong security) and cryptography 
control (limitation on the employment of strong cryptog- 
raphy) is a subject that deserves future investigations. 

IV. FUTURE DIRECTIONS 

Having discussed the various roadblocks to the future 
widespread applications of quantum cryptography, I hope 
that you will agree that the issue of commercial feasibil- 
ity is much more complicated than a research scientist 
may naively think. Certainly, my own grasp of the prob- 
lem is limited. If there is a lesson in this talk, it is the 
following: To better understand the issue of commercial 
feasibility, it is best for quantum cryptographers to en- 
gage more in constructive conversations with people in 
the real world (users, vendors, conventional cryptogra- 
phers, government officials, etc). While we do not have 
to agree with what they say, it is important for us to 
understand their views clearly. The future adoption of 
quantum cryptography relies on their acceptance. 

On the more technical side, I offer the following sub- 
jective list of future directions. 

1. Develop new applications for quantum cryp- 
tography: 

In my opinion, it is important to develop new appli- 
cations of quantum cryptography such as signature and 
authentication schemes, quantum voting, etc. Since var- 
ious no-go theorems have ruled out the possibility of 
a number of cryptographic primitives, future quantum 
cryptographic systems may well be based on quantum 
computational assumptions Therefore, it would be of 
practical interest to invent a " quantum one-way trapdoor 
function" and public key based quantum cryptographic 
systems. 

One possible viewpoint to take is to regard quantum 
cryptography as a natural extension (rather than a re- 
placement) of conventional cryptrography and put its 
foundation on computational assumptions on both con- 
ventional cryptography and quantum mechanics. How 
to combine the advantages offered by quantum mechanics 
and public key infrastructure is a big issue. It would be of 
particular interest to construct a public-key based quan- 
tum encryption scheme and show rigorously that break- 
ing it will require the simultaneous breaking of widely 
accepted assumptions in both conventional cryptogra- 
phy (such as cracking the Diffe-Hellman key exchange 
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scheme) and quantum computation (such as the ability 
to achieve quantum computation/measurement involv- 
ing more than N qubits). Such an encryption scheme 
will convince people in both conventional and quantum 
cryptographic communities that it is secure against any 
realistic attacks. 

[Brassard has emphasized the possibility that con- 
ventional public key cryptography may actually survive 
quantum attacks. According to 0, it has been argued in 
H that quantum resistant one-way function that can be 
computed efficiently with classical computers but cannot 
be inverted efficiently even with a quantum computer 
may well exist. That would be bad news for quantum 
cryptographers, though.] 

2. Use teleportation [10] to plug security loop- 
holes 
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A major criticism on quantum cryptography is that 
it may contain many hidden security loopholes. For in- 
stance, while it is often assumed that a photon source 
emits single photons, in real life perfect single photon 
sources are notoriously hard to make. Besides, exper- 
imental systems generally contain higher energy levels 
whose occupancy is totally ignored in most security anal- 
ysis. Indeed, as emphasized by, for example, John Smolin 
p2| , it is even conceivable in principle that an eavesdrop- 
per can hide a quantum robot in the quantum signals 
received by the two users. Owing to this quantum Tro- 
jan Horse problem, quantum cryptographic systems seem 
inherently unsafe. 

Nonetheless, one can argue that by using teleportation, 
quantum cryptographic systems can be made no more 
unsafe than conventional ones p"l| ]. One can reduce the 
quantum Trojan Horse problem to a conventional Trojan 
Horse problem. This is done by the following method. In- 
stead of receiving any untrusted quantum signals from a 
quantum channel, each user insists that any signal should 
be teleported to him/her. For instance, Bob prepares 
locally an EPR pair and sends a member to a labora- 
tory outside his door. Any incoming quantum signal will 
be teleported to him by his doorman outside his door. 
What he receives are just classical messages. Note that 
teleportation provides an exact counting of the number 
of dimensions of Hilbert space of the reconstructed state. 
This is so even if the original EPR pair that Bob prepares 
is imperfect and contains hidden dimensions. 

Of course, the problem of classical Trojan Horse attack 
remains. But, this is inevitable. Since Bob's goal is to 
receive classical communications from Alice through an 
untrusted channel, if receiving untrusted classical mes- 
sages is a problem, the whole enterprise of secure com- 
munication is simply hopeless. 



3. Use quantum repeaters [13] to extend the 
range of secure quantum key distribution. 

This is crucial if quantum key distribution is ever to 
make any impact on intercontinental communication. 

4. Increase data rate for quantum key distribu- 



tion. 

Existing schemes for quantum key distribution such as 
BB84 and Ekert's scheme are based on two-level quantum 
systems and as such their data rates are limited. If quan- 
tum cryptography is ever widely used as one-time pad 
for encrypting massive data in communications, higher 
level systems and particularly continuous variable quan- 
tum cryptography are a way to go forward. This would 
mean that many of the current investigations may be- 
come obsolete in the near future. 

5. Miniaturization. 

The ultimate goal is to reduce the size of quantum 
cryptographic systems to that of a smart card or a com- 
pact disc. 

6. Integration with existing infrastructure in 
information technology. 

It may be hard to justify the cost of construction of an 
entirely new infrastructure dedicated to the long-distance 
transmission of quantum signals. Integration of quantum 
technology with existing infrastructure (including optical 
fibers) in information technology is, therefore, an impor- 
tant subject. 

7. Towards an international standard for quan- 
tum cryptography. 

Ultimately, some form of international standards will 
be needed for the widespread deployment of quantum 
cryptography. 

8. We need quantum hackers. 

We have seen encouraging signs that researchers are 
finally taking a critical look at the security of current 
experimental implementations of quantum cryptographic 
systems 0. In order to better understand the real risk 
of employing quantum cryptography, much more should 
be done on the subject. 

An attacker should attack a Chinese Wall from its 
weakest point. The weakest point of a cryptographic sys- 
tem often lies in the blindspot of its designers. A cryp- 
tographer may regard a cryptographic system as a math- 
ematical black box function which provides an output for 
each input. However, in real life the box is never black 
to begin with. (Private keys embedded in a smart card 
circuitry may be read out by illuminating the smart card 
with various wavelengths of electromagnetic radiations.) 
The black box also gives out timing information, power 
consumption information, etc, etc. The inputs to the 
black box include also its power supply, something that 
is subject to manipulations by malicious parties. The 
designer of the black box may try to cheat by designing 
a black box that leaks information in a subtle encrypted 
way that can be read by only the designer. 

Indeed, in conventional cryptography, it is often the 
case that the most powerful attacks against a system has 
little to do with the fundamental design or mathemati- 
cal equations underlying the design. The devil is in the 
actual implementation, rather than the fundamental de- 
sign. If we are really interested in the future of quantum 
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technology, we must face up to those subtle loopholes in 
implementations. A way to do so is to become a quan- 
tum hacker and devise innovative methods of cracking 
experimental quantum cryptographic system. 

9. Crypto control of quantum cryptography? 

The issue of cryptography control of quantm cryptog- 
raphy remains to be addressed. I have no particular sug- 
gestion. 
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